Establish Federal Cybersecurity for Election Software

This proposal advocates for the Department of Homeland Security to set mandatory cybersecurity standards for election software vendors to prevent vulnerabilities in rural districts during the 2026 midterms. Currently, election software vendors are subject to voluntary certification through the Election Assistance Commission’s Voluntary Voting System Guidelines, but compliance is not required in all states. The proposal would make compliance with updated cybersecurity standards a condition for any vendor seeking to sell election management systems, ballot marking devices, or voter registration databases to state or local governments. Specific requirements include mandatory penetration testing by independent third-party firms, source code escrow arrangements, and real-time intrusion detection systems on all internet-connected election infrastructure. The National Association of Secretaries of State developed the proposal following a 2025 survey of its members that found 37 percent of local election jurisdictions had not conducted a cybersecurity audit in the previous three years, with the gap concentrated in counties with fewer than 50,000 residents. Federal funding of approximately $300 million over five years would accompany the mandate, distributed through the Election Assistance Commission to help under-resourced jurisdictions upgrade legacy systems and hire qualified information security personnel. The proposal includes provisions for an expedited vulnerability disclosure process, requiring vendors to notify affected jurisdictions within 48 hours of discovering a security flaw and to provide patches within 30 days. Several major election technology vendors, including Election Systems and Software and Hart InterCivic, have expressed conditional support for the proposal, provided that the standards are developed through a collaborative rulemaking process rather than imposed unilaterally. Critics, including some state legislators and election officials in states with strong local control traditions, argue that federal mandates on election administration raise constitutional concerns under the Elections Clause and the Tenth Amendment. Cybersecurity researchers at the Belfer Center for Science and International Affairs at Harvard have endorsed the proposal’s core framework but recommended strengthening the supply chain security provisions to address risks from foreign-manufactured hardware components. The proposal also calls for the creation of a national election security operations center that would provide real-time threat intelligence sharing to all 50 states during election periods. If adopted, the mandatory standards would take effect for all federal elections beginning in 2028, with interim voluntary compliance encouraged for the 2026 cycle.